Posted
by
yaelk
on Friday February 26, 2016 @05:09PM
from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

I don't see your point here. This site, I suppose you are talking about news.softpedia.com here, is an informational site only. There is no need to encrypt communication between your browser and this site. You do not exchange credentials and/or password and/or any confidential information. In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties. I don't see any usage for this here.

...There is no need to encrypt communication between your browser and this site... In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties.

Those sound to me like very good reasons for using encryption regardless of whether it is "needed" or not. If i always use encryption, then I don't have to think about when to switch it on and off. It's always on.

I don't think anyone thinks it will prevent a targeted attack, but it does keep my ISP from sending me emails regarding all the Scooby Doo parady porn someone keeps downloading using my account.

Even a bad VPN is like WEP encryption on your wireless: It stops people from just reading your traffic without effort, prevents businesses from manipulating your traffic as it passes through their networks, and makes any attempt to do either a crime.

WEP does not prevent people from reading traffic. WEP is broken to the point that it can be decrypted with a userland program that merely has to be run. It's harder to actually capture network traffic than it is to break WEP.

Otherwise I would agree, provisionally, with your statement. Making the traffic hard to view is normally good enough for the vast majority of cases, it doesn't hve to be impossible to view. The problem though, like the aforementioned WEP example, is when the tools to break that w

His point was you can't even get out of bed without effort. The barrier to entry to crack WEP is with the same difficulty of installing Chrome and even less difficulty than installing Wireshark. That's their point. I have not even tried to research this topic other than "it's easy" according to researchers.

I use a VPN service, and even if it were relatively breakable, it forces an attacker to be actively attacking the connection. Passive sifting is blocked, which is what I aim for. I use a VPN service for several reasons:

1: So the local link doesn't have access to all traffic. Some ISPs used to stick identifying headers into every web page request via active MITM. With a VPN, this is blocked.

2: Crap like Phorm is blocked, so in-flight ads and possibly malvertising is stopped cold.

There are 2 parts to this; and I'm not sure which applies, or perhaps both:

If 90% number applies only to VPN Proxy services for the purposes you mention; to simply give you 1 hop bridge past whatever nonsense your ISP is doing and to cheese off advertisers and region restricting geolocates and so forth that's one thing.

This is exactly the reason I use a VPN at work for "everything" not customer-facing. I don't really care if a sophisticated attacker could get in; I have backups and would never pay anybody for that data. I'm more worried about casual access, and confidential business data ending up in web caches or other databases.

Doesn't mean I leave things less secure than practicable, it just means that I don't get snooty about having it locked down well. The important thing is having it locked down at all!

I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

>> I'm not sure he is talking about what I think he is talking about with untrusted certs

I had that impression too. When I've used VPNs with certs, it's been in situations where mutual authentication of specific certificates was used - no CAs necessary. Anyone who's used client keys with SSH or even just PGP would be familiar with the situation.

I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

You don't give your certificate to a third party by getting a signed certificate. You generate a signing request, which contains a check sum of your

Self signed certs are MORE secure as long as the party at both ends understands the process.

I'm not sure how that can be since all root certs are simply self signed certs. There's just the ones that someone else has told us to trust such as the ones that come by default in your browser, and the ones that you deliberately choose to trust. There's also nothing that says you can't delete any "trusted" certs that you choose not to trust.

a lot of those towers cost a lot of money to operate, even when not in use. rent, power, etc. lots of expenses not related to bandwidth. so you are paying for a lot of infrastructure that may be used maybe 40 hours a week at most

Most of those expenses have been offloaded to the localities. It would be a LOT more expensive to have a cell phone if they all had to pay their fair share in physical space, taxes, spectrum and energy but most of that is subsidized. The real savings would come if they were actually forced to share the stuff the government gave them through your tax money.

Most machines running VPNs haven't updated their SSL libraries could be more precise. Maybe some VPNs bundle their own SSL libraries within their product but in that case, it would make more sense if they used the system wide libraries.

Problem is, their test site doesn't seem to recognize openvpn... claims these sites don't use openvpn.

It may also be possible that -- since the PIA domains I gave it likely support protocols other than openvpn -- their tool saw something else on another port and stopped concluded "SSL/TLS not supported".

So far, it seems like a junk study to me which is too bad.... I would have liked some accurate feedback about VPN services I'm interested in (including the service that/. is pushing).

Not sure how much money you have but I highly recommend CryptoStorm. [cryptostorm.is] Very inexpensive, plenty of payment options, and they even have a free, limited to 128kbps, option you can use if you can't afford the higher. Read about their unique token-based [cryptostorm.org] authentication that separates the user account/payment information from the company.

SHA1 is no longer considered secure is should be immediately moved off of. It's not MD5 bad, but there have been proofs of concepts and theoretical attacks that are claiming to be able to break any key for a $250k of cloud compute time.

I'm typing VPN domains into their testing tool and its telling me "This site doesn't support SSL/TLS".

Last time I checked, most VPNs based on openvpn use TLS, like the ones I tried. My VPN config for privateinternetaccess.com requires "tls-client" directive and it uses a certificate to validate the server.

So I don't know what this article is talking about. If openvpn (which uses TLS) is too 'different' a protocol for their tools to examine, then there is something very wrong with the study its based on.

VPNs not mentioned once in UK’s terrifying new internet powers draft bill (4 Nov 2015)https://thestack.com/security/... [thestack.com]
".. force UK ISPs to keep an Internet Connection Record (now jargonised into ‘ICR’) for the previous 12 months for all of its customers, and also for the fact that it begins to deliver on prime minister David Cameron’s frequently-aired misgivings about zero-knowledge consumer-level encryption... "